How Does Safari Reaper Work?

The attack takes advantage of a flaw in Safari’s WebKit webpage rendering engine that can cause an impacted device to become overloaded. Basically, the attack involves nesting a lot of elements — in Haddouche’s case, over 3,000 <div> tags — in a backdrop filter property in CSS.

Because the attack relies on CSS, it can theoretically be hiding in any normal webpage. While it can’t be shared via SMS text message like some text bombs, the attack could hypothetically be embedded within an HTML email message. That could crash a device if that email is opened.

That is, essentially, hiding thousands of elements in a single line of code. And when a web browser goes to render the webpage with that code, it’ll use up all of a device’s memory resources and cause a kernel panic.

The attack has been shown to impact basically every recent version of Apple’s mobile operating system, from iOS 7 to the newly released iOS 12. Haddouche notes that the code affects “anything that renders HTML on iOS” — meaning that social media apps like Twitter and Facebook could be impacted by it.

The code can also crash and reboot macOS devices if the link is opened in Safari. According to at least one user, Safari on Mac may also attempt to automatically bring up the text bomb webpage again once the computer restarts. That could, in theory, cause perpetual crashing for some users.

Twitter user Robert Petersen also seemed to demonstrate that Apple Watch devices can also be affected if the webpage is opened in Safari.

Should You Be Worried?

Like most text bombs, the CSS attack is annoying and inconvenient. But thankfully, there’s little risk of long-term damage and your private data can’t be stolen.

The security researcher shared his findings with Apple on Friday. It’s likely that the Cupertino tech giant is currently investigating the problem and will release a fix in a future update.

But until a patch is introduced, there’s little that can be done to avoid the kernel panic or reboots.

As always, be vigilant about unsolicited links. If you’re having trouble getting a device to restart without crashing perpetually, try disconnecting it from the internet.